Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

What I do not get is how anyone here at Blue's can see Steam as anything other than an annoying, but regretfully necessary network client on our computers.

Convenience is a bitch? Tried and true expression, yet people are always surprised when they come face to face with it and have to "accept" it again.

Steam has to be one of the most convenient pieces of software, especially related to gaming... ever.

You know what's annoying? Keeping track of hundreds of install CD's and DVD's. Keeping them unscratched. Keeping games patched and up to date manually. Being at a friends house and wanting to show them a game, but not carrying said CD/DVDs on you at all times... Those things are all annoying.

Instead I have one online backup, and one offline backup of all of my save games, ever... on one DVD... and I can access my games anywhere the internet works.

So from what I understand here... if you have a properly secured browser in the first place, this won't be an issue because there is no reason for a rogue javascript to be getting anyone at this point.

... and unless Bluenews.com or espn.com start trying to hack the planet, anyone who runs into this vulnerability (again, with an unsecured browser) are completely at fault here?

Good. Looks like more "security problems" I won't have to worry about.

The exploitable vulnerability with computers sit's in front of the keyboard.

It's almost as if there is no reason for any of the larger spyware offenders to spend any time on this... because they would have been better off exploiting the browser in use to launch the steam URL in the first place. Browsers that are on many more computers than steam clients.

The "quick uninstall steam" crowd here is hilarious. How about "quick, don't click on stupid shit anyway, regardless of if its steam or some other program on your computer being exploited".

avianflu wrote on Oct 18, 2012, 10:55:What I do not get is how anyone here at Blue's can see Steam as anything other than an annoying, but regretfully necessary network client on our computers.

I don't know man. I'm older now, I don't want to patch my own games anymore. I like just making a fast purchase and being able to play shortly after instead of trucking out to the store or waiting on UPS. I actually use the Friends/Community features and consider them a benefit. Back when I used to play WoW I made a ton of gamer friends and we all keep in touch and play various games through our Steam accounts. The recent improvements to the library features have made it a very competent game library manager too.

It's not perfect, there's a lot I'd like to improve. I want Steam to handle backing up my game saves and shit, not just Steam Cloud enabled games but everything. I'd like better workshop integration and so on. I don't look at it as a regretful annoyance though, I wouldn't use it if that was the case. When Steam was initially released it was largely a piece of shit and guess what, I barely ever used it as a result.

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said....In order to protect themselves users can disable the steam:// URL protocol handler manually or with a specialized application, or can use a browser that doesn't automatically execute steam:// URLs

I think that regardless of if the link comes from a javascript or not, at some point the browser gets to the part where its going to pass the URL on, and if its set to prompt it should prompt at that stage.

Also, last time I checked, valve had disabled then "run any URL from steam" functionality. It has to be an actual steam url, and you can't just give the whole url, but have to go through its system. So for instance, you can give it an appid and it will open any store page, but it won't open steam://www.whackyVirusHere.comI was trying to find a way to make a steam url for a greenlight vote page, and I couldn't since steam hasn't integrated that into the URL stuff yet.

hb3d wrote on Oct 17, 2012, 19:53:Valve needs to autoupdate Steam to get rid of the URL handler as an immediate step to blunt this attack, but the Steam website is full of the URL's so it's going to break all that functionality.

This is highly likely to be their move IF they do anything. Regardless of what it breaks. They have a history of just disabling entire features/functionality rather than fixing bugs/exploits within them.

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFEINSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER

Yeah I'm not sure what exactly the point was supposed to be in his rants about hypocrisy in the community. I don't see him posting about the Origin patchnotes every time they finally fix a bug or security flaw or advising people to uninstall it.

hb3d wrote on Oct 17, 2012, 22:13:I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

EA has done a lot of bad shit over the years to earn their reputation and we don't need our life validation from you. Your constant snobbery and accusations about how people aren't acting how you think they should is just annoying and a waste of time.

It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous.

I freely admit I'm an EA hater (but given their long sordid history of being a shitty company, certainly not without cause) but if I saw there was credit to be given I would give credit where it was due. All I saw in the latest EA debacle was a ham-fisted and poorly managed attempt to gain some small measure of market penetration by giving people free games (a move so counter to their normal philosophy it serves to prove how desperate they are in my mind) which ended up being exploited like crazy. It couldn't have happened to a nicer company.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"?

So that's what this is about? It pisses you off that people think Valve is awesome? Seems pretty petty to me. I think their customer service sucks, as I already detailed earlier, but that's not enough to make me start hating on Valve like you wish I would. It seems every service has had it's share of security issues lately, and while others might have raised hell I have always taken it as a matter of course considering the way things are today regardless of who it happens to. Valve isn't perfect, and not a person that I've heard said they are, but they have a long, LOOONG way to go to even come close to being as anti-consumer as EA is. The companies are almost polar opposites.

This comment was edited on Oct 17, 2012, 22:41.

“The greatness of a nation and its moral progress can be judged by the way its animals are treated.” - Mahatma Gandhi

Prez wrote on Oct 17, 2012, 21:40:Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA)

I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

that doesn't necessarily make him wrong.

He has to attack the messenger because he doesn't like the message and can't handle the truth.

Regarding this latest Valve security problem the silence on this both from Valve and its fans speaks volumes. When Ubisoft had a similar exploit months ago in a browser plug-in for its game client, most of you and others exploded with vitriol at Ubisoft over it even when you weren't even affect by it because you hadn't installed the plug-in. And, Ubisoft responded and fixed the problem in the same day it was reported in the news. Here, Valve didn't even reply to the researchers who disocvered the problem or to Computerworld that initally reported the story. And, this latest Valve security problem affects far more people since more people use Steam and more products since the vulnerabilities are in the Steam software and several game engines itself. The few Valve fanboys who bothered to respond in this thread either stuck their heads in the sand and denied the scope of the problem and/or blamed the researchers who found the exploits rather than place the blame on Valve where it belongs.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"? Valve is now a multiple billion dollar company. It has a virtual monopoly on PC game distribution. It needs to stop acting like a bunch of free-wheeling hippies and stop treating customer service and security like some distant afterthought and inconvenience which interrupts its playtime. But, Valve will never improve and devote the personnel and resources necessary to those functions unless customers demand it. And, so long as the company has millions of minions who think it is "awesome" anyway and keep gladly giving it their money regardless of its repeated failings, that will never happen. That is why it is important to complain even when it is your favorite company in the wrong.

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFEINSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER

Now you're speaking his language.

Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA); however, that doesn't necessarily make him wrong. Personally, I just redirected the steam url handler to open notepad instead as someone advised in the Steam forums. Steam will of course redirect this back when it is restarted, but I leave mine running all the time so no restart = no problem.

“The greatness of a nation and its moral progress can be judged by the way its animals are treated.” - Mahatma Gandhi